‘Bottom line it for me’: executives make cybersecurity decisions in two thirds of companies

This supports the positive trend of IT security becoming part of the agenda for board-level discussions. Moreover, C-suite involvement correlates with the size of IT security budgets, as companies who invest more heavily in IT security are more likely to have their executives involved in the decision-making process.

IT security is no longer just one more office department— as Kaspersky’s report, “IT security economics in 2019: how businesses are losing money and saving costs amid cyberattacks”, shows. Today, top management executives find themselves needing to better understand IT security trends and risks, while IT security professionals need to be able to clearly explain cybersecurity issues to the board. This will result in better cooperation and a transparent decision-making process.

There is a clear correlation between top management involvement and business cybersecurity budgets. Across companies with a budget of more than $5m, the majority (72%) have their executives take part in the financial aspect of IT security. Meanwhile, across companies with smaller budgets – up to $25k for enterprises and up to $2.5k for SMBs — the percentage of those with C-level executives involved in budget decisions is around 50%.

IT security budget and involvement of C-level staff in IT security decision making

When it comes to specific budget size, in companies in which C-level executives are involved in cybersecurity decision-making, it is well suited to the global cybersecurity budget pace. In these companies, cybersecurity spending reaches $264k for SMBs and $18m amongst enterprises. That is almost equal to the average spending across all surveyed companies: for SMBs it reached $267k compared to $256k in 2018; for enterprises it is $18.9m, up from $8.9m in 2018.

“Cooperation between IT security teams and the board is beneficial for all businesses. If your company has not yet established this process, now is the right time to get started. IT security teams should go to their top-level management, explain the risks and what they need to mitigate them, how much money they need and how they will spend their budget. This helps executives to understand the importance of IT security for their business and to invest in it according to the real risks,” says Alexander Moiseev, Chief Business Officer, Kaspersky.

To help IT security managers improve their budgeting process and better align it with company executives, Kaspersky recommends:

• Assess your company’s cybersecurity risks when planning your budget. Consider the cost to the company and the probability of their occurrence. A list of the most frequent cybersecurity incidents and costs of data breaches, based on a survey of 5,000 IT security professionals globally, can be found in the report.
• Rely on expertise. Decisions about the purchasing of cybersecurity tools or services should not be taken by one person. Before this stage, expert analysis should be made that reveals the best option for the best price.
• Involve higher management in cybersecurity matters, including budgets and make sure to speak to them in their language. Don’t tell them how cybersecurity works, show them the business risks and the amount of money they can lose by not improving cybersecurity.
• Use a free tool by Kaspersky to check your budget benchmark. Enter your company’s region, size and industry to see the average budget for similar companies to yours. This can be helpful at the early stage of budget planning to understand the landscape in your industry. Or, when your budget is finalized, use it to compare with the average spend. This IT security calculator has been updated and includes the most recent data for 2019, as well as retrospective spending averages for previous years, to see how budgets have been changing.

The full report, “IT security economics in 2019: how businesses are losing money and saving costs amid cyberattacks” can be found here.